Version: ACE 5

Authorization

info

The purpose of this section is to introduce what approach ACE uses for developer authorization. The information mentioned here is relevant since ACE release 24.1.0

Supported services

ACE supports authorization with Keycloak and also allows generic configuration for other OIDC providers, such as Auth0.

General approach

ACE authorization is implemented to use OAuth Authorization Code Flow with a long-lived access token.

Token expiry

ACE uses a long-lived access token and does not keep refresh tokens. Because of this, it is important to configure the authorization service with a longer lifetime for the client access token to not get invalidated during daily development.

Preferably, the expiry should be configured to a time period between 12h and 24h.

Supported algorithms

ACE supports configuration for both symmetric RS256 and asymmetric HS256 algorithms.

Generally, we recommend using RS256 as this is typically the pre-configured setting in authorization services and the easiest to set up.

Configuration

Here are the expected environment variables for each configuration.

Keycloak

Environment variables;

OIDC

Environment variables;

Supported services​

General approach​

Token expiry​

Supported algorithms​

Configuration​

Keycloak​

OIDC​